CVE-2022-23165

Sysaid – Sysaid 14.2.0 Reflected Cross-Site Scripting (XSS)

Description

Sysaid – Sysaid 14.2.0 Reflected Cross-Site Scripting (XSS) - The parameter "helpPageName" used by the page "/help/treecontent.jsp" suffers from a Reflected Cross-Site Scripting vulnerability. For an attacker to exploit this Cross-Site Scripting vulnerability, it's necessary for the affected product to expose the Offline Help Pages. An attacker may gain access to sensitive information or execute client-side code in the browser session of the victim user. Furthermore, an attacker would require the victim to open a malicious link. An attacker may exploit this vulnerability in order to perform phishing attacks. The attacker can receive sensitive data like server details, usernames, workstations, etc. He can also perform actions such as uploading files, deleting calls from the system

Remediation

Solution:

  • Update to 22.2.20 cloud version, or to 22.1.64 on premise version.

Category

5.5
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.21%
Third-Party Advisory gov.il
Affected: SysAid Sysaid
Affected: SysAid Sysaid
Published at:
Updated at:

References

Link Tags
https://www.gov.il/en/departments/faq/cve_advisories third party advisory

Frequently Asked Questions

What is the severity of CVE-2022-23165?
CVE-2022-23165 has been scored as a medium severity vulnerability.
How to fix CVE-2022-23165?
To fix CVE-2022-23165: Update to 22.2.20 cloud version, or to 22.1.64 on premise version.
Is CVE-2022-23165 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2022-23165 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-23165?
CVE-2022-23165 affects SysAid Sysaid, SysAid Sysaid.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.